-----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Mark Weaver Sent: Monday, December 31, 2007 8:09 PM To: centos at centos.org Subject: Re: [CentOS] Firewall frustration -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz <rgm at htt-consult.com> wrote: > William L. Maltby wrote: > > On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote: > > > >> Peter Farrell wrote: > >> > >>> "Problem is I want a REAL router/firewall with little work." > >>> > >>> Run a smoothwall installtion and replace your CentOS install. > >>> > >>> http://www.smoothwall.org/ > >>> > >>> > >> well first challenge is my unit's USB ethernet dongles. Centos uses > >> the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, > >> 8139, and 8169... > >> > > > > I've used this at home for years. I don't know if it's suitable, but > > it seems *very* flexible. Allows for NAT or not, has typical zones, > > reporting, IPTables modification support, ... > > > > http://www.ipcop.org/ > > > > Has run/tested successfully on various configurations here. It's > > another "ditch your CentOS" solution though. But you can put it on > > any old junk laying around and it'ss probably work. Using cable > > modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz > > pci gives <= 700MB/sec - both from decent sites. Tested using both > > ISA and PCI bus adapters through both twisted pair and thin coax. > As I thought about things this morning, trying to put up smoothwall, I > realized that one of my goals is to have a tool to turn a Centos > system that I am using for foo, into a firewall for bar for a day. I > have Astaro for my serious firewall needs (see later post), but need > something 'portable'. You see I have these plans with some small itx > systems.... have you considered linux that fits on a floppy disk? http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/ http://www.linuxlinks.com/Distributions/Floppy/ http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut ions/Tiny/Floppy_Sized/ get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about... - -- Mark "Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT Ez253XYLAOfSJS7u5ij36U4= =jb20 -----END PGP SIGNATURE----- I have this vision of a live CD that would come up and pull down it's config via SCP or HTTPS and run. Or maybe a PGP encrypted file over TFTP. No writable media in the machine at all, no access to write to the configs, just a dumb device that knows where to get it's config. Any compromise could be fixed with just a reboot, the config could even be reloaded at some interval automatically, off machine logging, perhaps even without an interface. You could more than likely go one step further and use PXE to load everything over NFS or something, then you are at no moving parts. Unfortunately, I have the ideas but not the knowledge or time. In my opinion, this would be the ultimate evolution of things like IP Cop and Smoothwall. I want to say that monowall had this on the roadmap, but I haven't looked lately. Appears someone has done some work on it: http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html